Hello everyone, new here.
And I’ve recently been having a URL:Mal problem, like so many others I’ve seen on this forum.
So here is the story:
One day I was reading a manga and my browser closes randomly, suspicious I check out my processes and eventually found a virus. It was a pain to get rid of but I got it completely removed to the best of my knowledge. And recently I’ve run more scans with other AV scanners and found a few more, removed those too. But I still keep this URL:Mal blocked randomly when on Google. It redirects me to this weird website that has a IP in the front. At 64.111.211.158 on firefox.exe
hello kash we first need to see your ots log and then i can proceed with the removal,so:
Download OTS to your Desktop and double-click on it to run it
Make sure you close all other programs and don’t use the PC while the scan runs.
Select All Users
Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
When the scan is complete Notepad will open with the report file loaded in it.
Please attach the log in your next post.
Edited to add custom scans
Please ensure that all logs are saved in the ANSI format
C:\WINDOWS\system32\giveio.sys this file is known to be as a tdss rootkit if it is not associated with any program according to the info that i have gathered so the ots log doesnt show any program name in front of it.That means this should be the tdss rootkit.Kill it now via:
*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.
It would be better if com155 would first go to get trained at the places that are meant for that,
gets a proper qualification as a qualified malware remover and then come back here,
On completion of this run can you let me know if the problem persists
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (srvE84) srvE84 [Auto | Stopped] ->
[Registry - Safe List]
< FireFox Extensions [User Folders] > ->
YY -> XUL Cache -> C:\Documents and Settings\Kash\Application Data\Mozilla\Firefox\Profiles\yljv4vyr.default\extensions\{52e21792-7d01-482b-8dff-17fc4657b665}
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {0D1F7040-49E7-44F3-AFDD-E063A520F57f} [HKLM] -> C:\WINDOWS\system32\atipdlxx32.dll [Reg Error: Value error.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key error.]
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\system32\XAPOFX1_232.exe" -> [C:\WINDOWS\system32\XAPOFX1_232.exe:*:Enabled:Windows Update Service]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\system32\XAPOFX1_232.exe" -> [C:\WINDOWS\system32\XAPOFX1_232.exe:*:Enabled:Windows Update Service]
[Registry - Additional Scans - Safe List]
< SafeBoot-Minimal Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
YN -> srvE84 ->
[Files/Folders - Modified Within 30 Days]
NY -> 171055953 -> C:\WINDOWS\System32\171055953
NY -> atipdlxx32.dll -> C:\WINDOWS\System32\atipdlxx32.dll
NY -> yby.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\yby.exe
NY -> wus.exe -> C:\Documents and Settings\All Users\Application Data\wus.exe
NY -> vuj.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\vuj.exe
NY -> ukl.exe -> C:\Documents and Settings\All Users\Application Data\ukl.exe
NY -> ujv.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\ujv.exe
NY -> kat.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\kat.exe
NY -> hhm.exe -> C:\Documents and Settings\All Users\Application Data\hhm.exe
NY -> fty.exe -> C:\Documents and Settings\All Users\Application Data\fty.exe
NY -> dcs.exe -> C:\Documents and Settings\All Users\Application Data\dcs.exe
NY -> j32fl865s40d45oky84k7k52hiujn68p040 -> C:\Documents and Settings\Kash\Local Settings\Application Data\j32fl865s40d45oky84k7k52hiujn68p040
NY -> j32fl865s40d45oky84k7k52hiujn68p040 -> C:\Documents and Settings\All Users\Application Data\j32fl865s40d45oky84k7k52hiujn68p040
NY -> tss.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\tss.exe
NY -> tii.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\tii.exe
NY -> ofm.exe -> C:\Documents and Settings\All Users\Application Data\ofm.exe
NY -> nkd.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\nkd.exe
NY -> kot.exe -> C:\Documents and Settings\All Users\Application Data\kot.exe
NY -> hkv.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\hkv.exe
NY -> gpb.exe -> C:\Documents and Settings\All Users\Application Data\gpb.exe
NY -> ejm.exe -> C:\Documents and Settings\All Users\Application Data\ejm.exe
NY -> duh.exe -> C:\Documents and Settings\All Users\Application Data\duh.exe
[Files - No Company Name]
NY -> atipdlxx32.dll -> C:\WINDOWS\System32\atipdlxx32.dll
NY -> yby.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\yby.exe
NY -> wus.exe -> C:\Documents and Settings\All Users\Application Data\wus.exe
NY -> vuj.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\vuj.exe
NY -> ukl.exe -> C:\Documents and Settings\All Users\Application Data\ukl.exe
NY -> ujv.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\ujv.exe
NY -> kat.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\kat.exe
NY -> hhm.exe -> C:\Documents and Settings\All Users\Application Data\hhm.exe
NY -> fty.exe -> C:\Documents and Settings\All Users\Application Data\fty.exe
NY -> dcs.exe -> C:\Documents and Settings\All Users\Application Data\dcs.exe
NY -> j32fl865s40d45oky84k7k52hiujn68p040 -> C:\Documents and Settings\Kash\Local Settings\Application Data\j32fl865s40d45oky84k7k52hiujn68p040
NY -> j32fl865s40d45oky84k7k52hiujn68p040 -> C:\Documents and Settings\All Users\Application Data\j32fl865s40d45oky84k7k52hiujn68p040
NY -> tss.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\tss.exe
NY -> tii.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\tii.exe
NY -> ofm.exe -> C:\Documents and Settings\All Users\Application Data\ofm.exe
NY -> nkd.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\nkd.exe
NY -> kot.exe -> C:\Documents and Settings\All Users\Application Data\kot.exe
NY -> hkv.exe -> C:\Documents and Settings\Kash\Local Settings\Application Data\hkv.exe
NY -> gpb.exe -> C:\Documents and Settings\All Users\Application Data\gpb.exe
NY -> ejm.exe -> C:\Documents and Settings\All Users\Application Data\ejm.exe
NY -> duh.exe -> C:\Documents and Settings\All Users\Application Data\duh.exe
[Custom Scans]
YY -> LoLRecommendedItems.exe -> C:\LoLRecommendedItems.exe
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
Thanks essexboy
I’ve applied the fix and run it I will post the log below.
Also I will be searching on google to see if I get redirected to the bad IP and will post on here if it does.
So I guess I’m going to stick away from the manga for now until this is solved.
The website I supposedly got the virus from is www.mangafox.com if your curious.